Node-ipc npm Package Compromised Again: A Major Supply Chain Attack
In a significant security breach, the widely utilized JavaScript library, node-ipc, has been compromised for the second time since 2022. This package, essential for inter-process communication in Node.js applications and boasting over 822,000 weekly downloads, has been infiltrated with malicious code. Security firms Socket and StepSecurity have identified that versions 9.1.6, 9.2.3, and 12.0.1 of node-ipc contain obfuscated stealer and backdoor payloads, posing a severe threat to developers and organizations relying on this package.
Details of the Compromise
The attack appears to have originated from the takeover of a dormant maintainer account. Security researcher Ian Ahl (@TekDefense), CTO at Permiso, highlighted that the likely vector was a domain takeover. The domain atlantis-software[.]net, associated with the npm maintainer account atiertant, expired on January 10, 2025. An attacker re-registered this domain on May 7, 2026, via NameCheap, enabling them to reset the npm account password and gain publishing rights without accessing the original maintainer’s infrastructure.
Mechanism of the Malicious Payload
The injected malicious code resides exclusively in the CommonJS entry point file, node-ipc.cjs, appended as a single obfuscated Immediately Invoked Function Expression (IIFE). Developers utilizing `require(node-ipc)` are at risk, whereas those using the ECMAScript Module (ESM) syntax may not be directly affected.
Upon execution, the payload initiates a detached child process and performs the following actions:
– System Fingerprinting: Collects operating system metadata, including platform, architecture, hostname, and system information.
– Credential Harvesting: Targets over 100 specific files and configurations, extracting sensitive data such as AWS, Azure, and Google Cloud credentials; Kubernetes and Docker configurations; SSH keys; npm tokens; GitHub and GitLab credentials; Terraform secrets; environment variables; shell histories; and macOS Keychain databases.
– Data Archiving: Compiles the harvested data into a gzip-compressed tarball stored in the system’s temporary directory.
– Data Exfiltration: Transmits the compressed archive via DNS TXT queries to a command-and-control (C2) server masquerading as an Azure service, using the domain sh[.]azurestaticprovider[.]net.
Notably, each file within the malicious archive is timestamped October 26, 1985, a deliberate marker that can aid in identifying compromised systems.
Indicators of Compromise (IOCs)
To assist in detecting and mitigating this threat, the following IOCs have been identified:
– Malicious Package Versions:
– File Hashes:
– node-ipc.cjs SHA-256: 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144
– node-ipc-9.1.6.tgz SHA-256: 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e
– node-ipc-9.2.3.tgz SHA-256: c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea
– node-ipc-12.0.1.tar.gz SHA-256: 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981
– Command-and-Control Domain:
– sh[.]azurestaticprovider[.]net
Recommended Actions
Developers and organizations utilizing node-ipc should take immediate steps to mitigate potential damage:
1. Audit Dependencies: Review project dependencies to identify if any of the compromised versions are in use.
2. Remove Malicious Versions: If affected versions are detected, remove them promptly and revert to a known safe version.
3. Rotate Credentials: Assume that any credentials or sensitive information on systems where the compromised package was installed may be exposed. Rotate all potentially affected credentials, including API keys, tokens, and passwords.
4. Monitor Network Traffic: Implement monitoring for unusual DNS TXT query patterns, which may indicate data exfiltration attempts.
5. Enhance Security Practices: Strengthen security measures around package management, including verifying the integrity of packages before installation and monitoring for unusual account activities.
Broader Implications
This incident underscores the persistent vulnerabilities within the open-source software supply chain. The node-ipc package had previously been compromised in 2022 when a developer introduced code that targeted users with IP addresses located in Russia or Belarus, overwriting files with a peace message. Such incidents highlight the critical need for vigilance and robust security practices in managing open-source dependencies.
Supply chain attacks have become increasingly prevalent, with attackers exploiting the trust placed in widely used packages to distribute malicious code. For instance, in September 2025, a massive supply chain attack known as Shai-Halud compromised 477 npm packages, including those from reputable organizations like CrowdStrike. These attacks often involve injecting backdoors and trojanized modules designed to exfiltrate sensitive information and enable remote code execution on developer machines.
The node-ipc compromise serves as a stark reminder of the importance of maintaining strict control
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
